Vulnerability Bulletins |
Ejecución de código arbitrario en Cairo |
|
Vulnerability classification |
|
| Property | Value |
| Confidence level | Oficial |
| Impact | Obtener acceso |
| Dificulty | Experto |
| Required attacker level | Acceso remoto sin cuenta a un servicio estandar |
System information |
|
| Property | Value |
| Affected manufacturer | GNU/Linux |
| Affected software | Cairo |
Description |
|
|
Se ha encontrado una vulnerabilidad del tipo desbordamiento de entero en Cairo. La vulnerabilidad reside en un error en la función read_png() en la forma en que procesa las imágenes PNG. Un atacante remoto podría ejecutar código arbitrario mediante una imagen PNG especialmente diseñada. |
|
Solution |
|
|
Actualización de software Red Hat (RHSA-2007:1078-3) RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) https://rhn.redhat.com/ Mandriva (MDVSA-2008:019) Mandriva Linux 2007 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/libcairo2-1.2.4-2.1mdv2007.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/libcairo2-devel-1.2.4-2.1mdv2007.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/i586/media/main/updates/libcairo2-static-devel-1.2.4-2.1mdv2007.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/SRPMS/main/updates/cairo-1.2.4-2.1mdv2007.0.src.rpm X86_64 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/lib64cairo2-1.2.4-2.1mdv2007.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/lib64cairo2-devel-1.2.4-2.1mdv2007.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/x86_64/media/main/updates/lib64cairo2-static-devel-1.2.4-2.1mdv2007.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.0/SRPMS/main/updates/cairo-1.2.4-2.1mdv2007.0.src.rpm Mandriva Linux 2007.1 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/libcairo2-1.4.2-1.1mdv2007.1.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/libcairo2-devel-1.4.2-1.1mdv2007.1.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/i586/media/main/updates/libcairo2-static-devel-1.4.2-1.1mdv2007.1.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/SRPMS/main/updates/cairo-1.4.2-1.1mdv2007.1.src.rpm X86_64 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/lib64cairo2-1.4.2-1.1mdv2007.1.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/lib64cairo2-devel-1.4.2-1.1mdv2007.1.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/x86_64/media/main/updates/lib64cairo2-static-devel-1.4.2-1.1mdv2007.1.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2007.1/SRPMS/main/updates/cairo-1.4.2-1.1mdv2007.1.src.rpm Mandriva Linux 2008.0 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/i586/media/main/updates/libcairo-devel-1.4.10-2.2mdv2008.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/i586/media/main/updates/libcairo-static-devel-1.4.10-2.2mdv2008.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/i586/media/main/updates/libcairo2-1.4.10-2.2mdv2008.0.i586.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/SRPMS/main/updates/cairo-1.4.10-2.2mdv2008.0.src.rpm X86_64 ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/x86_64/media/main/updates/lib64cairo-devel-1.4.10-2.2mdv2008.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/x86_64/media/main/updates/lib64cairo-static-devel-1.4.10-2.2mdv2008.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/x86_64/media/main/updates/lib64cairo2-1.4.10-2.2mdv2008.0.x86_64.rpm ftp://ftp.cica.es/pub/Linux/Mandrakelinux/official/updates/2008.0/SRPMS/main/updates/cairo-1.4.10-2.2mdv2008.0.src.rpm Corporate Server 4.0 corporate/4.0/i586/libcairo2-1.0.0-8.2.20060mlcs4.i586.rpm corporate/4.0/i586/libcairo2-devel-1.0.0-8.2.20060mlcs4.i586.rpm corporate/4.0/i586/libcairo2-static-devel-1.0.0-8.2.20060mlcs4.i586.rpm corporate/4.0/SRPMS/cairo-1.0.0-8.2.20060mlcs4.src.rpm X86_64 corporate/4.0/x86_64/lib64cairo2-1.0.0-8.2.20060mlcs4.x86_64.rpm corporate/4.0/x86_64/lib64cairo2-devel-1.0.0-8.2.20060mlcs4.x86_64.rpm corporate/4.0/x86_64/lib64cairo2-static-devel-1.0.0-8.2.20060mlcs4.x86_64.rpm corporate/4.0/SRPMS/cairo-1.0.0-8.2.20060mlcs4.src.rpm Suse Linux Las actualizaciones pueden descargarse mediante YAST o del servidor FTP oficial de Suse Linux. Debian (DSA-1542-1) Debian Linux 4.0 Source http://security.debian.org/pool/updates/main/libc/libcairo/libcairo_1.2.4-4.1+etch1.dsc http://security.debian.org/pool/updates/main/libc/libcairo/libcairo_1.2.4.orig.tar.gz http://security.debian.org/pool/updates/main/libc/libcairo/libcairo_1.2.4-4.1+etch1.diff.gz Arquitectura independiente http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-doc_1.2.4-4.1+etch1_all.deb alpha (DEC Alpha) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_alpha.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_alpha.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_alpha.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_alpha.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_alpha.deb amd64 (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_amd64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_amd64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_amd64.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_amd64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_amd64.deb arm (ARM) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_arm.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_arm.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_arm.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_arm.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_arm.udeb hppa (HP PA RISC) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_hppa.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_hppa.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_hppa.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_hppa.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_hppa.deb i386 (Intel ia32) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_i386.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_i386.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_i386.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_i386.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_i386.deb ia64 (Intel ia64) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_ia64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_ia64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_ia64.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_ia64.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_ia64.deb mips (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_mips.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_mips.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_mips.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_mips.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_mips.udeb mipsel (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_mipsel.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_mipsel.udeb powerpc (PowerPC) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_powerpc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_powerpc.udeb s390 (IBM S/390) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_s390.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_s390.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_s390.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_s390.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_s390.deb sparc (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-dev_1.2.4-4.1+etch1_sparc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2_1.2.4-4.1+etch1_sparc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2_1.2.4-4.1+etch1_sparc.deb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo-directfb2-udeb_1.2.4-4.1+etch1_sparc.udeb http://security.debian.org/pool/updates/main/libc/libcairo/libcairo2-dev_1.2.4-4.1+etch1_sparc.deb |
|
Standar resources |
|
| Property | Value |
| CVE | CVE-2007-5503 |
| BID | |
Other resources |
|
|
Red Hat Security Advisory (RHSA-2007:1078-3) https://rhn.redhat.com/errata/RHSA-2007-1078.html Mandriva Security Advisory (MDVSA-2008:019) http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:019 SUSE Security Advisory (SUSE-SR:2008:003) http://www.novell.com/linux/security/advisories/2008_3_sr.htm Debian Security Advisory (DSA-1542-1) http://lists.debian.org/debian-security-announce/2008/msg00112.html |
|
Version history |
||
| Version | Comments | Date |
| 1.0 | Aviso emitido | 2007-11-30 |
| 1.1 | Aviso emitido por Mandriva (MDVSA-2008:019) | 2008-01-22 |
| 1.2 | Aviso emitido por Suse (SUSE-SR:2008:003) | 2008-02-11 |
| 1.3 | Aviso emitido por Debian (DSA-1542-1) | 2008-04-14 |